ocsp-stapling through http proxy?
mdounin at mdounin.ru
Thu Oct 13 13:34:14 UTC 2016
On Thu, Oct 13, 2016 at 12:25:44PM +0200, rainer at ultra-secure.de wrote:
> we have been informed by our CA that they will be moving their OCSP-servers
> to "the cloud" - it was a fixed set of IPs before.
> These fixed sets could relatively easily be entered as firewall rules (and
> hosts-file entries, should DNS-resolution be unavailable).
> Of course, they could as easily be targeted by Script-Kiddies and
> Wannabe-Hackers as targets for a DDoS.
> As such, I would need to allow outbound http-connections to the whole
> internet, which is kind of exactly the opposite of what I want to do.
> And that's ignoring for a moment the necessity to allow outbound DNS...
> It would be cool if nginx would be able to do the stapling through a
OCSP stapling allows you to:
- provide your own file to staple using ssl_stapling_file
directive. It doesn't matter for nginx how the file was
obtained. You can even update it by hand. It might be
relatively straightforward to configure automatic updating
process though. See http://nginx.org/r/ssl_stapling_file for details.
- use an explicitly configured OCSP responder with the
ssl_stapling_responder directive. It allows to configure your
own OCSP responder at a fixed address, and then proxy requests to
the real responder. See http://nginx.org/r/ssl_stapling_responder
More information about the nginx